This is where all the administration settings are configured, and the first section is for administrative users.

For security reasons, it may be better to run the management web GUI on non-standard ports. Also note that if web-based user authentication is enabled, ports 80 and 443 will be taken; the management web GUI has to use other ports.

• HTTP Port - The unsecure admin access port.
• HTTPS Port - The secure admin access port

The first column show the access levels, Administrator and Read-only. An Administrator user can add, edit and remove rules, change settings of the DFL-1100 and so on. The Read-only user can only look at the configuration. The second column shows the users in each access level.

• Ping - If enabled, specifies who can ping the interface IP of the DFL-1100. Default if enabled is to allow anyone to ping the interface IP.
• Admin - If enabled allows all users with admin access to connect to the DFL-1100 and change configuration, can be HTTPS or HTTP and HTTPS.
• Read-Only - If enabled allows all users with read-only access to connect to the DFL-1100 and look at the configuration, can be HTTPS or HTTP and HTTPS. If there is no Admin access specified on an interface and only read-only, admin users can still connect but will be in read-only mode.
• SNMP - Specifies if SNMP should be allowed or not on the interface, the DFL-1100 only supports read-only access.

On the LAN or DMZ interface settings it's possible to configure the IP addresses of the interfaces.

• IP Address - The IP address of the LAN or DMZ interface. This is the address that may be used to ping the firewall, and used as gateway IP on either network.
• Subnet Mask - Size of the internal or DMZ network.

If you are using Static IP you have to fill in the IP address information provided to you by your ISP. All fields are required except the Secondary DNS Server. You should probably not use the numbers displayed in these fields, they are only used as an example.

• IP Address - The IP address of the WAN interface. This is the address that may be used to ping the firewall, remote management and as source address for dynamically translated connections.
• Subnet Mask - Size of the external network.
• Gateway IP - Specifies the IP address of the default gateway used to reach the Internet.
• Primary and Secondary DNS Server - The IP addresses of your DNS servers, only the Primary DNS is required.

If you are using DHCP there is no need to enter any values in any of fields.

Use the following procedure to configure the DFL-1100 external interface to use PPPoE (Point-to-Point Protocol over Ethernet). This configuration is required if your ISP uses PPPoE to assign the IP address of the external interface. You will have to fill in the username and password provided by your ISP.

• Username - The login or username supplied by your ISP.
• Password - The password supplied by your ISP.
• Service Name - When using PPPoE some ISPs require you to fill in a Service Name.
• Primary and Secondary DNS Server - The IP addresses of your DNS servers, these are optional and are often provided by the PPPoE service.

PPTP over Ethernet connections are used in some DSL and cable modem networks.

You need your account details, and possibly also IP configuration parameters of the actual physical interface that the PPTP tunnel runs over. Your ISP should supply this information.

• Username - The login or username supplied by your ISP.
• Password - The password supplied by your ISP.
• PPTP Server IP - The IP of the PPTP server that the DFL-1100 should connect to.

Before PPTP can be used to connect to you ISP the physical (WAN) interface parameters need to be supplied, it's possible to use either DHCP or Static IP, this depends on the type of ISP used and this information should be supplied by them.

If using static IP, this information needs to be filled in.

• IP Address - The IP address of the WAN interface. This IP is used to connect to the PPTP server.
• Subnet Mask - Size of the external network.
• Gateway IP - Specifies the IP address of the default gateway used to reach the Internet.

The ISP Telstra BigPond uses BigPond for authentication; the IP is assigned with DHCP.

• Username - The login or username supplied to you by your ISP.
• Password - The password supplied to you by your ISP.

When Traffic Shaping is enabled and the correct maximum up and downstream bandwidth is specified it's possible to control which policies that have the highest priority when large amounts of data are moving through the DFL-1100. For example, the policy for the web server might be given higher priority than the policies for most employees' computers.

You can use traffic shaping to guarantee the amount of bandwidth available through the firewall for a policy. Guarantee bandwidth to make sure that there is enough bandwidth available for a high-priority service. You can also use traffic shaping to limit the amount of bandwidth available through the firewall for a policy. Limit bandwidth to avoid that less important services uses bandwidth needed for more important services.

To improve the performance of your Internet connection, you can adjust the maximum transmission unit (MTU) of the packets that the DFL-1100 transmits from its external interface. Ideally, you want this MTU to be the same as the smallest MTU of all the networks between the DFL-1100 and the Internet. If the packets the DFL-1100 sends are larger, they get broken up or fragmented, which could slow down transmission speeds.

Trial and error is the only sure way of finding the optimal MTU, but there are some guidelines that can help. For example, the MTU of many PPP connections is 576, so if you connect to the Internet via PPPoE, you might want to set the MTU size to 576. DSL modems may also have small MTU sizes. Most Ethernet networks have an MTU of 1500.

Note: If you connect to your ISP using DHCP to obtain an IP address for the external interface, you cannot set the MTU below 576 bytes due to DHCP communication standards.

VLANs are a way of adding "virtual" interfaces to the firewall without the adding more physical interfaces. This is accomplished by using a 801.2Q enabled switch with per-port VLAN tagging.

• Name - Name of the virtual inteface.
• Physical - The physical interface the 801.2Q enabled switch is attached to.
• VLAN ID - The 801.2Q ID tagged up by the switch to the firewall.
• IP Address - The IP address of the VLAN interface. This is the local address of the DFL-1100 on the attached VLAN network.
• Subnet Mask - The network size of the IP network on the VLAN.

The Routes configuration section describes the firewall’s routing table. DFL-1100 uses a slightly different way of describing routes compared to most other systems. However, we believe that this way of describing routes is easier to understand, making it less likely for users to cause errors or breaches in security.

• Interface - Specifies which interface packets destined for this route shall be sent through.
• Network - Specifies the network address for this route.
• Gateway - Specifies the IP address of the next router hop used to reach the destination network. If the network is directly connected to the firewall interface, no gateway address is specified.
• Local IP Address - The IP address specified here will be automatically published on the corresponding interface. This address will also be used as the sender address in ARP queries. If no address is specified, the firewalls own interface IP address will be used.
• Proxy ARP - Specifies that the firewall shall publish this route via Proxy ARP.

One advantage with this form of notation is that you can specify a gateway for a particular route, without having a route that covers the gateway’s IP address or despite the fact that the route that covers the gateway’s IP address is normally routed via another interface.

The difference between this form of notation and the most commonly used is that there, you do not specify the interface name in a separate column. Instead, you specify the IP address of each interface as a gateway.

Note: The firewall does not Proxy ARP routes on VPN interfaces.

DFL-1100 High Availability works by adding a back-up firewall to your existing firewall. The back-up firewall has the same configuration as the primary firewall. It will stay inactive, monitoring the primary firewall, until it deems that the primary firewall is no longer functioning, at which point it will go active and assume the active role in the cluster. When the other firewall comes back up, it will assume a passive role, monitoring the now active firewall.

In a HA cluster, configuration (policy, etc) changes made on one unit are automatically synchronized to the other unit. HA clusters can only be created if the WAN connection has static IP addresses. Three public IP addresses are required for the cluster; one for the each cluster member, and one shared address.

As a complement to the failover functionality, the cluster members can monitor up to 6 addresses per physical interface to determine whether or not the interface and attached network is functioning properly. If the majority of the monitored hosts on a given interface become unreachable, the unit assumes that the network connection is faulty and attempts to fail the cluster over to the other unit.

Logging, the ability to audit decisions made by the firewall, is a vital part in all network security products. The D-Link DFL-1100 provides several options for logging its activity. The D-Link DFL-1100 logs its activities by sending the log data to one or two log receivers in the network. No log data is stored on the firewall itself.

All logging is done to Syslog recipients. The log format used for Syslog logging is suitable for automated processing and searching. To use Syslog fill in your first Syslog server as Syslog server 1, if you have two Syslog servers you have to fill in the second one as Syslog server 2. You must fill in at least one Syslog server for logging to work. You can also specify what facility to use by selecting the appropriate Syslog facility. Local0 is the default facility.

The D-Link DFL-1100 specifies a number of events that can be logged. Some of those events, for instance, start-up and shutdown events, are mandatory, and will always generate log entries. Others, for instance to log when allowed connections are opened and closed, is configurable. It's also possible to have E-mail alerting for IDS/IDP events to up to three email addresses.

The Time settings page will give you the option to either set the system time by syncing to an Internet Network Time Server (NTP) or by entering the system time by hand.